W32/Lovgate@M Last Updated 2/24/03 1:30PM

CIT has recieved inquiries regarding the w32/Lovgate@M virus. W32/Lovgate@M is an email worm that replies to messages in the infected client's inbox using its own smtp engine. It sends a copy of itself disguised as an automated reply. The worm also spreads through open network shares.

In email form, W32/Lovgate@M appears as follows:

The body contains:

Wherever.com account auto-reply:

' I'll try to reply as soon as possible.
Take a look at the attachment and send me your opinion!'

>Get your Free wherever.com account now! <

Wherever.com is the domain used by the infected client.

The attachment may be one of the following:

• billgt.exe
• Card.EXE
• docs.exe
• fun.exe
• hamster.exe
• humor.exe
• images.exe
• joke.exe
• midsong.exe
• news_doc.exe
• pics.exe
• PsPGame.exe
• s3msong.exe
• searchURL.exe
• SETUP.EXE
• tamagotxi.exe

All inbound smtp traffic is being scanned.

NAI has released 4249 DAT/SuperDat that can be downloaded here to detect and remove W32/Lovgate@M.

The 2/24/03 and later definitions released by Symantec will detect and remove W32/Lovgate@M. Definitions are available through the LiveUpdate feature of Norton Antivirus.

For more information see:

http://vil.nai.com/vil/content/v_100072.htm from NAI.
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.lovgate.c@mm.html from Symantec.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.